Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Home Antivirus 2010 plus more of it's evil friends...


  • This topic is locked This topic is locked
35 replies to this topic

#1 Monkeyb00y

Monkeyb00y

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 12:59 AM

I have downloaded & tried to use 15 Different Anti [insert type of virus here] cleaners that I've found through various forums.
I have found that this forum is the best one out of the bunch to try to get some help.
Here's the issue.
I'm trying to fix a friend's Dell Laptop - Inspiron B130 - Windows XP Home Edition SP2 (I haven't been able to update anything yet).
They had gone onto one of the popular social networking sites & 2 days later when they turned it on...
BAM! Home Antivirus 2010 had installed itself. They attempted to uninstall it, etc, but the normal means did not work of course.
They came to me since I'm sort of a guru when it comes to these things. Unfortunately, I've been completely stumped
& everything I try fails. It has disabled IEXPLORE.exe so IE7 doesn't work. The updates for windows, IE8, will not install.
You cannot install IE7 as it fails. I tried to install Firefox but will not connect to the internet.
I did install AVG Free 8 & got rid of some of it. Home Antivirus 2010 doesn't pop up anymore.
BUT everything else doesn't work. You cannot open IEXPLORE.exe.
When you do, popup: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
When I ran HijackThis, it closed about 3 seconds in. You try to run it a 2nd time, same popup as above.
This has happened with programs listed below:
MBAM - installed, never ran, locked.
HJT - 3 second run time, closed, then locked.
SuperAntiSpyware - ran once to search, then upon reboot, locked.
WinPatrol - installed, never ran, locked.
Autoruns - 1 second run time, closed, then locked.

There have been a few that have worked but since most are logs or auto-fixers, or don't find anything:
Sophos Anti-Rootkit = found "hidden" items in the programs that have been blocked listed above.
RootRepeal only found: Hidden/Locked Files
Path: C:\WINDOWS\system32\netlogon.dll
Status: Locked to the Windows API!
KillBox - works, but need a file name to use it on.
ProcessExplorer - works, not sure how to pull a log if needed.

After 48 hours of going around & around with this thing, I searched for a solution & found this forum.
I've signed up & are now following the instructions everyone seems to be using
DDS works so I have attached the appropriate file to this post.

Thank you in advance!
Monkeyb00y

Here is the DDS.txt info:

DDS (Ver_09-07-30.01) - NTFSx86
Run by tyrone webb at 1:16:56.09 on Mon 08/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.268 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE -k browserctl
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Documents and Settings\tyrone webb\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Captcha7] rundll "c:\program files\captcha7.dll",captcha
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Task Catcher] c:\progra~1\billps~1\taskca~1\tasktrap.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: text/html - {8e311775-3a14-4a8b-9dbc-8aa0d16ed529} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: cru629.dat?m$U¨?\?š
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tyrone~1\applic~1\mozilla\firefox\profiles\kqbbsxi3.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R?2 browserctl;browserctl;c:\windows\system32\SvchoSt.ExE -k browserctl [2004-8-10 14336]
R1 browserctldrv;browserctldrv;c:\program files\browserctl\BrowserCtl.sys [2009-8-4 9472]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\a.tmp --> c:\windows\system32\A.tmp [?]

=============== Created Last 30 ================

2009-08-09 22:45 <DIR> --d----- c:\program files\Sophos
2009-08-09 13:48 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-09 13:35 <DIR> --d----- C:\!KillBox
2009-08-09 03:32 <DIR> --d----- c:\docume~1\tyrone~1\applic~1\WinPatrol
2009-08-09 03:32 299,520 a------- c:\windows\uninst.exe
2009-08-09 03:31 <DIR> --d----- c:\documents and settings\tyrone webb\WINDOWS
2009-08-09 03:31 <DIR> --d----- c:\program files\BillP Studios
2009-08-09 03:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-09 03:06 <DIR> --d----- c:\documents and settings\tyrone webb\DoctorWeb
2009-08-09 01:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-09 01:44 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-09 01:44 <DIR> --d----- c:\docume~1\tyrone~1\applic~1\SUPERAntiSpyware.com
2009-08-08 00:41 <DIR> --d----- c:\windows\pss
2009-08-08 00:39 <DIR> --d----- c:\program files\Trend Micro
2009-08-08 00:36 <DIR> --d----- c:\docume~1\tyrone~1\applic~1\Malwarebytes
2009-08-08 00:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-07 19:53 <DIR> --d-h--- c:\windows\PIF
2009-08-07 18:16 <DIR> --d----- c:\windows\system32\Logs
2009-08-07 14:12 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-07 14:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-07 14:00 14,616 a------- c:\windows\sevarolo.dl
2009-08-07 14:00 11,760 a------- c:\program files\common files\nago.bin
2009-08-07 14:00 17,541 a------- c:\windows\ajojej.dat
2009-08-07 14:00 14,540 a------- c:\docume~1\alluse~1\applic~1\afevolof.vbs
2009-08-07 14:00 11,917 a------- c:\docume~1\tyrone~1\applic~1\usir.exe
2009-08-07 14:00 18,179 a------- c:\windows\vusyq.inf
2009-08-07 14:00 13,198 a------- c:\windows\zosoxoreny.dat
2009-08-07 14:00 12,439 a------- c:\windows\etyrulam.pif
2009-08-07 14:00 11,524 a------- c:\windows\system32\owyvun.dll
2009-08-07 14:00 10,893 a------- c:\docume~1\tyrone~1\applic~1\upeteq.reg
2009-08-07 14:00 10,570 a------- c:\windows\bomanysego._dl
2009-08-07 14:00 17,312 a------- c:\docume~1\alluse~1\applic~1\ogukeveqe.scr
2009-08-07 13:55 <DIR> --d----- c:\docume~1\tyrone~1\applic~1\AVG8
2009-08-07 00:18 <DIR> --d----- c:\docume~1\tyrone~1\applic~1\McAfee
2009-08-04 13:04 2 a------- c:\windows\0535251103110107106.xsb
2009-08-04 13:04 1 ----h--- c:\windows\th823567.dat
2009-08-04 13:04 2 a------- c:\windows\0101120101465453.dat
2009-08-04 11:09 19,655 a------- c:\windows\system32\ruzo.vbs
2009-08-04 11:09 19,544 a------- c:\windows\tiseqalado._dl
2009-08-04 11:09 18,979 a------- c:\windows\system32\afof.dl
2009-08-04 11:09 18,661 a------- c:\program files\common files\esepugake-DELETE.sys
2009-08-04 11:09 18,416 a------- c:\windows\lumewo.dll
2009-08-04 11:09 17,755 a------- c:\windows\ferexisa.exe
2009-08-04 11:09 16,476 a------- c:\windows\ycujiz.com
2009-08-04 11:09 16,343 a------- c:\windows\yrym.dll
2009-08-04 11:09 14,976 a------- c:\windows\system32\ijyq._sy
2009-08-04 11:09 14,904 a------- c:\program files\common files\nuli.dll
2009-08-04 11:09 14,707 a------- c:\windows\todyvawaki.exe
2009-08-04 11:09 13,768 a------- c:\program files\common files\qavo.dat
2009-08-04 11:09 13,261 a------- c:\windows\system32\wiru.inf
2009-08-04 11:09 12,841 a------- c:\program files\common files\nexepu.scr
2009-08-04 11:09 10,128 a------- c:\docume~1\tyrone~1\applic~1\popo.scr
2009-08-04 11:04 <DIR> --d----- c:\program files\BrowserCtl
2009-08-04 11:04 2 a------- c:\windows\010112010146120114.dat
2009-08-03 17:22 247 a------- c:\windows\prxid93ps.dat
2009-07-19 13:50 <DIR> --d----- c:\program files\Shared

==================== Find3M ====================

2009-08-04 11:09 16,039 a------- c:\program files\common files\abyqi.inf
2009-07-19 09:33 3,597,824 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-19 09:32 6,067,200 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-29 07:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-29 07:07 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 04:35 634,632 -------- c:\windows\system32\dllcache\iexplore.exe
2009-06-29 04:33 2,452,872 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-29 04:33 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-06-16 10:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-08 22:06 4,182 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-06-03 15:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-06-03 15:27 1,290,752 -------- c:\windows\system32\dllcache\quartz.dll
2008-05-16 20:44 0 a------- c:\docume~1\tyrone~1\applic~1\wklnhst.dat

============= FINISH: 1:17:20.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 05:05 AM

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....


Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.


NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GAMERS result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 10:48 AM

Got to step 2: MBAM.exe was installed, run, as soon as I started the scan...closed. LOCKED OUT.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 11:40 AM

proceed with RSIT and GMER steps please :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 12:41 PM

OK...MBAM - locked out
RSIT - installed, instantly locked out.
GAMERS Results is attached.
Thanks again for all your help. ^^
Monkeyb00y

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 12:59 PM

Please download this tool by sUBs, and save it to your desktop.
  • Close any applications that you have open, as your computer will be rebooted
  • Double click +++.exe to run the tool
  • When it has run it will reboot your computer, you may then delete the tool

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 01:06 PM

+++.exe RUN - Screen pops up: "Machine does not appear to be infected."

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 01:15 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 01:38 PM

ComboFix 09-08-10.01 - tyrone webb 08/10/2009 14:26.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.210 [GMT -4:00]
Running from: c:\documents and settings\tyrone webb\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

?
c:\program files\BrowserCtl
c:\program files\Common


c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BROWSERCTL
-------\Legacy_BROWSERCTLDRV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_browserctl
-------\Service_browserctldrv
-------\Service_SfX


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 18:30 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-10 16:57 . 2009-08-10 16:57 -------- d-----w- C:\rsit
2009-08-10 15:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 15:40 . 2009-08-10 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 15:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 15:26 . 2009-08-10 15:26 -------- d-----w- c:\program files\ERUNT
2009-08-10 02:45 . 2009-08-10 02:45 -------- d-----w- c:\program files\Sophos
2009-08-09 17:48 . 2009-08-09 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-09 17:35 . 2009-08-09 17:35 -------- d-----w- C:\!KillBox
2009-08-09 07:32 . 2009-08-09 07:32 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\WinPatrol
2009-08-09 07:32 . 1998-02-07 03:37 299520 ----a-w- c:\windows\uninst.exe
2009-08-09 07:31 . 2009-08-09 07:31 -------- d-----w- c:\documents and settings\tyrone webb\WINDOWS
2009-08-09 07:31 . 2009-08-09 07:32 -------- d-----w- c:\program files\BillP Studios
2009-08-09 07:19 . 2009-08-09 07:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 07:06 . 2009-08-09 07:10 -------- d-----w- c:\documents and settings\tyrone webb\DoctorWeb
2009-08-09 05:45 . 2009-08-09 05:46 117760 ----a-w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-09 05:45 . 2009-08-09 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-09 05:44 . 2009-08-10 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-09 05:44 . 2009-08-09 05:44 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com
2009-08-08 04:39 . 2009-08-09 17:15 -------- d-----w- c:\program files\Trend Micro
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\Malwarebytes
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 23:53 . 2009-08-07 23:53 -------- d--h--w- c:\windows\PIF
2009-08-07 22:25 . 2009-08-07 22:25 -------- d-----w- c:\documents and settings\tyrone webb\Local Settings\Application Data\Mozilla
2009-08-07 22:16 . 2009-08-07 22:16 -------- d-----w- c:\windows\system32\Logs
2009-08-07 18:12 . 2009-08-08 05:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 18:08 . 2009-08-09 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-07 18:00 . 2009-08-07 18:00 15900 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\kewovuky.bin
2009-08-07 18:00 . 2009-08-07 18:00 11760 ----a-w- c:\program files\Common Files\nago.bin
2009-08-07 18:00 . 2009-08-07 18:00 17541 ----a-w- c:\windows\ajojej.dat
2009-08-07 18:00 . 2009-08-07 18:00 11917 ----a-w- c:\documents and settings\tyrone webb\Application Data\usir.exe
2009-08-07 18:00 . 2009-08-07 18:00 15625 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\hesexataq.exe
2009-08-07 18:00 . 2009-08-07 18:00 13198 ----a-w- c:\windows\zosoxoreny.dat
2009-08-07 18:00 . 2009-08-07 18:00 12439 ----a-w- c:\windows\etyrulam.pif
2009-08-07 18:00 . 2009-08-07 18:00 11524 ----a-w- c:\windows\system32\owyvun.dll
2009-08-07 18:00 . 2009-08-07 18:00 10027 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\ibopyd.bin
2009-08-07 18:00 . 2009-08-07 18:00 17312 ----a-w- c:\documents and settings\All Users\Application Data\ogukeveqe.scr
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\AVG8
2009-08-07 04:18 . 2009-08-07 04:18 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\McAfee
2009-08-04 17:04 . 2009-08-04 17:04 1 ---h--w- c:\windows\th823567.dat
2009-08-04 17:04 . 2009-08-04 17:04 2 ----a-w- c:\windows\0101120101465453.dat
2009-08-04 15:09 . 2009-08-04 15:09 19655 ----a-w- c:\windows\system32\ruzo.vbs
2009-08-04 15:09 . 2009-08-04 15:09 18661 ----a-w- c:\program files\Common Files\esepugake-DELETE.sys
2009-08-04 15:09 . 2009-08-04 15:09 18416 ----a-w- c:\windows\lumewo.dll
2009-08-04 15:09 . 2009-08-04 15:09 17755 ----a-w- c:\windows\ferexisa.exe
2009-08-04 15:09 . 2009-08-04 15:09 16476 ----a-w- c:\windows\ycujiz.com
2009-08-04 15:09 . 2009-08-04 15:09 16343 ----a-w- c:\windows\yrym.dll
2009-08-04 15:09 . 2009-08-04 15:09 14904 ----a-w- c:\program files\Common Files\nuli.dll
2009-08-04 15:09 . 2009-08-04 15:09 14707 ----a-w- c:\windows\todyvawaki.exe
2009-08-04 15:09 . 2009-08-04 15:09 13768 ----a-w- c:\program files\Common Files\qavo.dat
2009-08-04 15:09 . 2009-08-04 15:09 12841 ----a-w- c:\program files\Common Files\nexepu.scr
2009-08-04 15:09 . 2009-08-04 15:09 10814 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\towuvav.exe
2009-08-04 15:09 . 2009-08-04 15:09 10128 ----a-w- c:\documents and settings\tyrone webb\Application Data\popo.scr
2009-08-04 15:04 . 2009-08-04 15:04 2 ----a-w- c:\windows\010112010146120114.dat
2009-08-03 21:22 . 2009-08-03 21:22 247 ----a-w- c:\windows\prxid93ps.dat
2009-07-19 17:50 . 2009-08-07 19:03 -------- d-----w- c:\program files\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 18:29 . 2004-08-10 17:51 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-08 04:12 . 2006-10-16 19:47 -------- d-----w- c:\program files\Google
2009-08-07 22:53 . 2006-10-16 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-07 22:53 . 2006-10-16 19:44 -------- d-----w- c:\program files\McAfee.com
2009-08-07 18:00 . 2009-08-07 18:00 14540 ----a-w- c:\documents and settings\All Users\Application Data\afevolof.vbs
2009-08-07 18:00 . 2009-08-07 18:00 10893 ----a-w- c:\documents and settings\tyrone webb\Application Data\upeteq.reg
2009-08-04 15:09 . 2009-08-04 15:09 16039 ----a-w- c:\program files\Common Files\abyqi.inf
2009-07-08 18:07 . 2008-10-03 03:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-08 04:06 . 2009-07-08 04:06 2 ----a-w- c:\windows\0101120101465749.dat
2009-07-08 04:06 . 2009-07-08 04:06 1 ---h--w- c:\windows\jmmark2.dat
2009-07-08 04:06 . 2009-07-08 04:06 2 ----a-w- c:\windows\0101120101465752.dat
2009-07-08 04:06 . 2009-07-08 04:06 1 ---h--w- c:\windows\bf23567.dat
2009-07-08 03:06 . 2009-07-08 03:06 2 ----a-w- c:\windows\0101120101464849.dat
2009-07-08 03:06 . 2009-07-08 03:06 2 ----a-w- c:\windows\010112010146118114.dat
2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 02:06 . 2007-07-14 15:49 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-09 02:06 . 2007-07-14 15:49 88 --sh--r- c:\windows\system32\5A0127F470.sys
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Captcha7"="rundll" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Task Catcher"="c:\progra~1\BILLPS~1\TASKCA~1\tasktrap.exe" [2005-11-14 136760]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\tyrone webb\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-16 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:browserctl

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A.tmp --> c:\windows\system32\A.tmp [?]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
HKLM-Run-WinPatrol - c:\program files\BillP Studios\WinPatrol\winpatrol.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {01D1261C-50F1-4438-A4A3-59A38DCA3AA2} = 68.28.242.91 68.28.250.92
FF - ProfilePath - c:\documents and settings\tyrone webb\Application Data\Mozilla\Firefox\Profiles\kqbbsxi3.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 14:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(1608)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-08-10 14:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 18:35

Pre-Run: 26,607,345,664 bytes free
Post-Run: 26,740,588,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptOut

283 --- E O F --- 2009-08-07 23:16

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 01:47 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/t/248285/home-antivirus-2010-plus-more-of-its-evil-friends/

KillAll::

Collect::
c:\documents and settings\tyrone webb\Local Settings\Application Data\kewovuky.bin
c:\program files\Common Files\nago.bin
c:\windows\ajojej.dat
c:\documents and settings\tyrone webb\Application Data\usir.exe
c:\documents and settings\tyrone webb\Local Settings\Application Data\hesexataq.exe
c:\windows\zosoxoreny.dat
c:\windows\etyrulam.pif
c:\windows\system32\owyvun.dll
c:\documents and settings\tyrone webb\Local Settings\Application Data\ibopyd.bin
c:\documents and settings\All Users\Application Data\ogukeveqe.scr
c:\windows\th823567.dat
c:\windows\0101120101465453.dat
c:\windows\system32\ruzo.vbs
c:\program files\Common Files\esepugake-DELETE.sys
c:\windows\lumewo.dll
c:\windows\ferexisa.exe
c:\windows\ycujiz.com
c:\windows\yrym.dll
c:\program files\Common Files\nuli.dll
c:\windows\todyvawaki.exe
c:\program files\Common Files\qavo.dat
c:\program files\Common Files\nexepu.scr
c:\documents and settings\tyrone webb\Local Settings\Application Data\towuvav.exe
c:\documents and settings\tyrone webb\Application Data\popo.scr
c:\windows\010112010146120114.dat
c:\windows\prxid93ps.dat
c:\documents and settings\All Users\Application Data\afevolof.vbs
c:\documents and settings\tyrone webb\Application Data\upeteq.reg
c:\program files\Common Files\abyqi.inf
c:\windows\0101120101465749.dat
c:\windows\jmmark2.dat
c:\windows\0101120101465752.dat
c:\windows\bf23567.dat
c:\windows\0101120101464849.dat
c:\windows\010112010146118114.dat

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

DirLook::
C:\Device\__max++>
C:\Windows\Device\__max++>

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.
Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 02:13 PM

ComboFix Log:
ComboFix 09-08-10.01 - tyrone webb 08/10/2009 14:54.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.241 [GMT -4:00]
Running from: c:\documents and settings\tyrone webb\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tyrone webb\Desktop\CFScript.txt

file zipped: c:\documents and settings\All Users\Application Data\afevolof.vbs
file zipped: c:\documents and settings\All Users\Application Data\ogukeveqe.scr
file zipped: c:\documents and settings\tyrone webb\Application Data\popo.scr
file zipped: c:\documents and settings\tyrone webb\Application Data\upeteq.reg
file zipped: c:\documents and settings\tyrone webb\Application Data\usir.exe
file zipped: c:\documents and settings\tyrone webb\Local Settings\Application Data\hesexataq.exe
file zipped: c:\documents and settings\tyrone webb\Local Settings\Application Data\ibopyd.bin
file zipped: c:\documents and settings\tyrone webb\Local Settings\Application Data\kewovuky.bin
file zipped: c:\documents and settings\tyrone webb\Local Settings\Application Data\towuvav.exe
file zipped: c:\program files\Common Files\abyqi.inf
file zipped: c:\program files\Common Files\esepugake-DELETE.sys
file zipped: c:\program files\Common Files\nago.bin
file zipped: c:\program files\Common Files\nexepu.scr
file zipped: c:\program files\Common Files\nuli.dll
file zipped: c:\program files\Common Files\qavo.dat
file zipped: c:\windows\010112010146118114.dat
file zipped: c:\windows\010112010146120114.dat
file zipped: c:\windows\0101120101464849.dat
file zipped: c:\windows\0101120101465453.dat
file zipped: c:\windows\0101120101465749.dat
file zipped: c:\windows\0101120101465752.dat
file zipped: c:\windows\ajojej.dat
file zipped: c:\windows\bf23567.dat
file zipped: c:\windows\etyrulam.pif
file zipped: c:\windows\ferexisa.exe
file zipped: c:\windows\jmmark2.dat
file zipped: c:\windows\lumewo.dll
file zipped: c:\windows\prxid93ps.dat
file zipped: c:\windows\system32\owyvun.dll
file zipped: c:\windows\system32\ruzo.vbs
file zipped: c:\windows\th823567.dat
file zipped: c:\windows\todyvawaki.exe
file zipped: c:\windows\ycujiz.com
file zipped: c:\windows\yrym.dll
file zipped: c:\windows\zosoxoreny.dat
.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 18:30 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-10 16:57 . 2009-08-10 16:57 -------- d-----w- C:\rsit
2009-08-10 15:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 15:40 . 2009-08-10 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 15:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 15:26 . 2009-08-10 15:26 -------- d-----w- c:\program files\ERUNT
2009-08-10 02:45 . 2009-08-10 02:45 -------- d-----w- c:\program files\Sophos
2009-08-09 17:48 . 2009-08-09 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-09 17:35 . 2009-08-09 17:35 -------- d-----w- C:\!KillBox
2009-08-09 07:32 . 2009-08-09 07:32 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\WinPatrol
2009-08-09 07:32 . 1998-02-07 03:37 299520 ----a-w- c:\windows\uninst.exe
2009-08-09 07:31 . 2009-08-09 07:31 -------- d-----w- c:\documents and settings\tyrone webb\WINDOWS
2009-08-09 07:31 . 2009-08-09 07:32 -------- d-----w- c:\program files\BillP Studios
2009-08-09 07:19 . 2009-08-09 07:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 07:06 . 2009-08-09 07:10 -------- d-----w- c:\documents and settings\tyrone webb\DoctorWeb
2009-08-09 05:45 . 2009-08-09 05:46 117760 ----a-w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-09 05:45 . 2009-08-09 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-09 05:44 . 2009-08-10 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-09 05:44 . 2009-08-09 05:44 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com
2009-08-08 04:39 . 2009-08-09 17:15 -------- d-----w- c:\program files\Trend Micro
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\Malwarebytes
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 23:53 . 2009-08-07 23:53 -------- d--h--w- c:\windows\PIF
2009-08-07 22:25 . 2009-08-07 22:25 -------- d-----w- c:\documents and settings\tyrone webb\Local Settings\Application Data\Mozilla
2009-08-07 22:16 . 2009-08-07 22:16 -------- d-----w- c:\windows\system32\Logs
2009-08-07 18:12 . 2009-08-08 05:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 18:08 . 2009-08-09 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-07 18:00 . 2009-08-10 18:54 11760 ----a-w- c:\program files\Common Files\nago.bin
2009-08-07 18:00 . 2009-08-10 18:54 15900 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\kewovuky.bin
2009-08-07 18:00 . 2009-08-10 18:54 17541 ----a-w- c:\windows\ajojej.dat
2009-08-07 18:00 . 2009-08-10 18:54 11917 ----a-w- c:\documents and settings\tyrone webb\Application Data\usir.exe
2009-08-07 18:00 . 2009-08-10 18:54 13198 ----a-w- c:\windows\zosoxoreny.dat
2009-08-07 18:00 . 2009-08-10 18:54 11524 ----a-w- c:\windows\system32\owyvun.dll
2009-08-07 18:00 . 2009-08-10 18:54 12439 ----a-w- c:\windows\etyrulam.pif
2009-08-07 18:00 . 2009-08-10 18:54 15625 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\hesexataq.exe
2009-08-07 18:00 . 2009-08-07 18:00 10027 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\ibopyd.bin
2009-08-07 18:00 . 2009-08-10 18:54 17312 ----a-w- c:\documents and settings\All Users\Application Data\ogukeveqe.scr
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\AVG8
2009-08-07 04:18 . 2009-08-07 04:18 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\McAfee
2009-08-04 17:04 . 2009-08-04 17:04 1 ---h--w- c:\windows\th823567.dat
2009-08-04 17:04 . 2009-08-04 17:04 2 ----a-w- c:\windows\0101120101465453.dat
2009-08-04 15:09 . 2009-08-10 18:54 16343 ----a-w- c:\windows\yrym.dll
2009-08-04 15:09 . 2009-08-10 18:54 16476 ----a-w- c:\windows\ycujiz.com
2009-08-04 15:09 . 2009-08-10 18:54 14707 ----a-w- c:\windows\todyvawaki.exe
2009-08-04 15:09 . 2009-08-10 18:54 19655 ----a-w- c:\windows\system32\ruzo.vbs
2009-08-04 15:09 . 2009-08-10 18:54 18416 ----a-w- c:\windows\lumewo.dll
2009-08-04 15:09 . 2009-08-10 18:54 17755 ----a-w- c:\windows\ferexisa.exe
2009-08-04 15:09 . 2009-08-10 18:54 13768 ----a-w- c:\program files\Common Files\qavo.dat
2009-08-04 15:09 . 2009-08-10 18:54 14904 ----a-w- c:\program files\Common Files\nuli.dll
2009-08-04 15:09 . 2009-08-10 18:54 12841 ----a-w- c:\program files\Common Files\nexepu.scr
2009-08-04 15:09 . 2009-08-10 18:54 18661 ----a-w- c:\program files\Common Files\esepugake-DELETE.sys
2009-08-04 15:09 . 2009-08-10 18:54 10814 ----a-w- c:\documents and settings\tyrone webb\Local Settings\Application Data\towuvav.exe
2009-08-04 15:09 . 2009-08-04 15:09 10128 ----a-w- c:\documents and settings\tyrone webb\Application Data\popo.scr
2009-08-04 15:04 . 2009-08-04 15:04 2 ----a-w- c:\windows\010112010146120114.dat
2009-08-03 21:22 . 2009-08-03 21:22 247 ----a-w- c:\windows\prxid93ps.dat
2009-07-19 17:50 . 2009-08-07 19:03 -------- d-----w- c:\program files\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 18:54 . 2009-08-04 15:09 16039 ----a-w- c:\program files\Common Files\abyqi.inf
2009-08-10 18:54 . 2009-08-07 18:00 10893 ----a-w- c:\documents and settings\tyrone webb\Application Data\upeteq.reg
2009-08-10 18:54 . 2009-08-07 18:00 14540 ----a-w- c:\documents and settings\All Users\Application Data\afevolof.vbs
2009-08-10 18:29 . 2004-08-10 17:51 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-08 04:12 . 2006-10-16 19:47 -------- d-----w- c:\program files\Google
2009-08-07 22:53 . 2006-10-16 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-07 22:53 . 2006-10-16 19:44 -------- d-----w- c:\program files\McAfee.com
2009-07-08 18:07 . 2008-10-03 03:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-08 04:06 . 2009-07-08 04:06 2 ----a-w- c:\windows\0101120101465749.dat
2009-07-08 04:06 . 2009-07-08 04:06 1 ---h--w- c:\windows\jmmark2.dat
2009-07-08 04:06 . 2009-07-08 04:06 2 ----a-w- c:\windows\0101120101465752.dat
2009-07-08 04:06 . 2009-07-08 04:06 1 ---h--w- c:\windows\bf23567.dat
2009-07-08 03:06 . 2009-07-08 03:06 2 ----a-w- c:\windows\0101120101464849.dat
2009-07-08 03:06 . 2009-07-08 03:06 2 ----a-w- c:\windows\010112010146118114.dat
2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 02:06 . 2007-07-14 15:49 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-09 02:06 . 2007-07-14 15:49 88 --sh--r- c:\windows\system32\5A0127F470.sys
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\device\__max++> ----


---- Directory of c:\windows\Device\__max++> ----



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Captcha7"="rundll" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Task Catcher"="c:\progra~1\BILLPS~1\TASKCA~1\tasktrap.exe" [2005-11-14 136760]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\tyrone webb\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-16 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A.tmp --> c:\windows\system32\A.tmp [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {01D1261C-50F1-4438-A4A3-59A38DCA3AA2} = 68.28.242.91 68.28.250.92
FF - ProfilePath - c:\documents and settings\tyrone webb\Application Data\Mozilla\Firefox\Profiles\kqbbsxi3.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 14:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-08-10 15:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 19:01
ComboFix2.txt 2009-08-10 18:35

Pre-Run: 26,756,939,776 bytes free
Post-Run: 26,724,540,416 bytes free

283 --- E O F --- 2009-08-07 23:16

____________

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:02 PM, on 8/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Captcha7] rundll "C:\Program Files\captcha7.dll",captcha
O4 - HKLM\..\Run: [Task Catcher] C:\PROGRA~1\BILLPS~1\TASKCA~1\tasktrap.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{01D1261C-50F1-4438-A4A3-59A38DCA3AA2}: NameServer = 68.28.242.91 68.28.250.92
O17 - HKLM\System\CS1\Services\Tcpip\..\{01D1261C-50F1-4438-A4A3-59A38DCA3AA2}: NameServer = 68.28.242.91 68.28.250.92
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5758 bytes

#12 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 02:14 PM

BY THE WAY....the file was uploaded because the computer it was pulled from didn't have access to the internet except through a Netcard.

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 02:30 PM

Repeat the CFScript step but this time with below script.. Then post the log here

KillAll::

Rootkit::
c:\program files\Common Files\nago.bin
c:\documents and settings\tyrone webb\Local Settings\Application Data\kewovuky.bin
c:\windows\ajojej.dat
c:\documents and settings\tyrone webb\Application Data\usir.exe
c:\windows\zosoxoreny.dat
c:\windows\system32\owyvun.dll
c:\windows\etyrulam.pif
c:\documents and settings\tyrone webb\Local Settings\Application Data\hesexataq.exe
c:\documents and settings\tyrone webb\Local Settings\Application Data\ibopyd.bin
c:\documents and settings\All Users\Application Data\ogukeveqe.scr
c:\windows\th823567.dat
c:\windows\0101120101465453.dat
c:\windows\yrym.dll
c:\windows\ycujiz.com
c:\windows\todyvawaki.exe
c:\windows\system32\ruzo.vbs
c:\windows\lumewo.dll
c:\windows\ferexisa.exe
c:\program files\Common Files\qavo.dat
c:\program files\Common Files\nuli.dll
c:\program files\Common Files\nexepu.scr
c:\program files\Common Files\esepugake-DELETE.sys
c:\documents and settings\tyrone webb\Local Settings\Application Data\towuvav.exe
c:\documents and settings\tyrone webb\Application Data\popo.scr
c:\windows\010112010146120114.dat
c:\windows\prxid93ps.dat
c:\program files\Common Files\abyqi.inf
c:\documents and settings\tyrone webb\Application Data\upeteq.reg
c:\documents and settings\All Users\Application Data\afevolof.vbs
c:\windows\0101120101465749.dat
c:\windows\jmmark2.dat
c:\windows\0101120101465752.dat
c:\windows\bf23567.dat
c:\windows\0101120101464849.dat
c:\windows\010112010146118114.dat
C:\Windows\win32k.sys:1
C:\Windows\win32k.sys:2
c:\device\__max++>\C8E770BA.x86.dll

Folder::
c:\device\__max++>

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Captcha7"=-

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 10 August 2009 - 02:41 PM

Hi.. I need to sleep now.. After you run CFScript, please proceed with GMER step as you did before.. Post both ComboFix and GMER logs in your next reply.. I need some sleep :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 Monkeyb00y

Monkeyb00y
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Behind my eyes...
  • Local time:08:27 PM

Posted 10 August 2009 - 02:45 PM

EDIT: Put the GAMERS log at the bottom. I posted the ComboFix before I saw the update about you needing to sleep. :D

Also, the programs that were blocked from before are able to be used. Not sure if there is much of it left...unless it's sleeping as well. ;)

ComboFix Log #2:
ComboFix 09-08-10.01 - tyrone webb 08/10/2009 15:33.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.239 [GMT -4:00]
Running from: c:\documents and settings\tyrone webb\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\tyrone webb\Desktop\CFScript2.txt
.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 19:36 . 2009-08-10 19:36 38 ----a-w- C:\C8E770BA.x86.dll.vir
2009-08-10 18:30 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-10 16:57 . 2009-08-10 16:57 -------- d-----w- C:\rsit
2009-08-10 15:40 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 15:40 . 2009-08-10 15:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 15:40 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 15:26 . 2009-08-10 15:26 -------- d-----w- c:\program files\ERUNT
2009-08-10 02:45 . 2009-08-10 02:45 -------- d-----w- c:\program files\Sophos
2009-08-09 17:48 . 2009-08-09 17:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{81D4BDA8-1F33-4633-B176-8A7E942ABDE1}
2009-08-09 17:35 . 2009-08-09 17:35 -------- d-----w- C:\!KillBox
2009-08-09 07:32 . 2009-08-09 07:32 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\WinPatrol
2009-08-09 07:32 . 1998-02-07 03:37 299520 ----a-w- c:\windows\uninst.exe
2009-08-09 07:31 . 2009-08-09 07:31 -------- d-----w- c:\documents and settings\tyrone webb\WINDOWS
2009-08-09 07:31 . 2009-08-09 07:32 -------- d-----w- c:\program files\BillP Studios
2009-08-09 07:19 . 2009-08-09 07:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-09 07:06 . 2009-08-09 07:10 -------- d-----w- c:\documents and settings\tyrone webb\DoctorWeb
2009-08-09 05:45 . 2009-08-09 05:46 117760 ----a-w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-09 05:45 . 2009-08-09 05:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-09 05:44 . 2009-08-10 03:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-09 05:44 . 2009-08-09 05:44 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\SUPERAntiSpyware.com
2009-08-08 04:39 . 2009-08-09 17:15 -------- d-----w- c:\program files\Trend Micro
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\Malwarebytes
2009-08-08 04:36 . 2009-08-08 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 23:53 . 2009-08-07 23:53 -------- d--h--w- c:\windows\PIF
2009-08-07 22:25 . 2009-08-07 22:25 -------- d-----w- c:\documents and settings\tyrone webb\Local Settings\Application Data\Mozilla
2009-08-07 22:16 . 2009-08-07 22:16 -------- d-----w- c:\windows\system32\Logs
2009-08-07 18:12 . 2009-08-08 05:33 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-07 18:08 . 2009-08-09 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-07 17:55 . 2009-08-07 17:55 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\AVG8
2009-08-07 04:18 . 2009-08-07 04:18 -------- d-----w- c:\documents and settings\tyrone webb\Application Data\McAfee
2009-07-19 17:50 . 2009-08-07 19:03 -------- d-----w- c:\program files\Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 18:29 . 2004-08-10 17:51 407040 ----a-w- c:\windows\system32\netlogon.dll
2009-08-08 04:12 . 2006-10-16 19:47 -------- d-----w- c:\program files\Google
2009-08-07 22:53 . 2006-10-16 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-07 22:53 . 2006-10-16 19:44 -------- d-----w- c:\program files\McAfee.com
2009-07-08 18:07 . 2008-10-03 03:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-29 16:12 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 17:50 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:55 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 17:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-09 02:06 . 2007-07-14 15:49 4182 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-09 02:06 . 2007-07-14 15:49 88 --sh--r- c:\windows\system32\5A0127F470.sys
2009-06-03 19:27 . 2004-08-10 17:51 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_18.32.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 19:38 . 2009-08-10 19:38 16384 c:\windows\temp\Perflib_Perfdata_748.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Task Catcher"="c:\progra~1\BILLPS~1\TASKCA~1\tasktrap.exe" [2005-11-14 136760]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\tyrone webb\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-16 24576]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\A.tmp --> c:\windows\system32\A.tmp [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4061016
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {01D1261C-50F1-4438-A4A3-59A38DCA3AA2} = 68.28.242.91 68.28.250.92
FF - ProfilePath - c:\documents and settings\tyrone webb\Application Data\Mozilla\Firefox\Profiles\kqbbsxi3.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 15:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\OX5DLT19HPX5DLT1

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3932)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-08-10 15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 19:41
ComboFix2.txt 2009-08-10 19:01
ComboFix3.txt 2009-08-10 18:35

Pre-Run: 26,732,208,128 bytes free
Post-Run: 26,698,997,760 bytes free

215 --- E O F --- 2009-08-07 23:16

____________________________________________________________________________

GAMERS Results

GMER 1.0.15.15020 [rsq9v7ce.exe] - http://www.gmer.net
Rootkit scan 2009-08-10 21:38:23
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000006.sys:1 8192 bytes executable

---- EOF - GMER 1.0.15 ----

Edited by Monkeyb00y, 10 August 2009 - 08:52 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users